fix(ssl): improve SSL cert file mounts

- If SSL is disabled, delete the SSL crt and file mounts in the DB
- If SSL is disabled, delete the SSL folder
- If SSL is enabled, make sure the file mounts are added inside the helper
- remove old file mounts first to make sure the ssl crt content is always up to date and no duplicates are added

app/Actions/Database/StartPostgresql.php

@@ -36,12 +36,33 @@ public function handle(StandalonePostgresql $database)
             "echo 'Creating directories.'",
             "mkdir -p $this->configuration_dir",
             "mkdir -p $this->configuration_dir/docker-entrypoint-initdb.d/",
-            "mkdir -p $this->configuration_dir/ssl",
             "echo 'Directories created successfully.'",
         ];
 
-        if ($this->database->enable_ssl) {
+        if (! $this->database->enable_ssl) {
+            $this->commands[] = "rm -rf $this->configuration_dir/ssl";
+
+            SslCertificate::where('resource_type', $this->database->getMorphClass())
+                ->where('resource_id', $this->database->id)
+                ->delete();
+
+            $this->database->fileStorages()
+                ->where('resource_type', $this->database->getMorphClass())
+                ->where('resource_id', $this->database->id)
+                ->get()
+                ->filter(function ($storage) {
+                    return in_array($storage->mount_path, [
+                        '/var/lib/postgresql/certs/server.crt',
+                        '/var/lib/postgresql/certs/server.key',
+                    ]);
+                })
+                ->each(function ($storage) {
+                    $storage->delete();
+                });
+        } else {
             $this->commands[] = "echo 'Setting up SSL for this database.'";
+            $this->commands[] = "rm -rf $this->configuration_dir/ssl";
+            $this->commands[] = "mkdir -p $this->configuration_dir/ssl";
             $server = $this->database->destination->server;
 
             $caCert = SslCertificate::where('server_id', $server->id)->firstOrFail();
@@ -57,8 +78,8 @@ public function handle(StandalonePostgresql $database)
                     serverId: $server->id,
                     caCert: $caCert->ssl_certificate,
                     caKey: $caCert->ssl_private_key,
+                    configurationDir: $this->configuration_dir,
                 );
-                $this->addSslFilesToFileStorage();
             }
         }
 
@@ -300,27 +321,4 @@ private function add_custom_conf()
         $content_base64 = base64_encode($content);
         $this->commands[] = "echo '{$content_base64}' | base64 -d | tee $config_file_path > /dev/null";
     }
-
-    private function addSslFilesToFileStorage()
-    {
-        if (! $this->ssl_certificate) {
-            return;
-        }
-
-        $this->database->fileStorages()->create([
-            'fs_path' => $this->configuration_dir.'/ssl/server.crt',
-            'mount_path' => '/var/lib/postgresql/certs/server.crt',
-            'content' => $this->ssl_certificate->ssl_certificate,
-            'is_directory' => false,
-            'chmod' => '644',
-        ]);
-
-        $this->database->fileStorages()->create([
-            'fs_path' => $this->configuration_dir.'/ssl/server.key',
-            'mount_path' => '/var/lib/postgresql/certs/server.key',
-            'content' => $this->ssl_certificate->ssl_private_key,
-            'is_directory' => false,
-            'chmod' => '600',
-        ]);
-    }
 }

app/Helpers/SslHelper.php

@@ -23,7 +23,8 @@ public static function generateSslCertificate(
         int $validityDays = 365,
         ?string $caCert = null,
         ?string $caKey = null,
-        bool $isCaCertificate = false
+        bool $isCaCertificate = false,
+        ?string $configurationDir = null
     ): SslCertificate {
 
         try {
@@ -101,17 +102,58 @@ public static function generateSslCertificate(
                 ->where('server_id', $serverId)
                 ->delete();
 
-            return SslCertificate::create([
+            $sslCertificate = SslCertificate::create([
                 'ssl_certificate' => $certificateStr,
                 'ssl_private_key' => $privateKeyStr,
                 'resource_type' => $resourceType,
                 'resource_id' => $resourceId,
                 'server_id' => $serverId,
+                'configuration_dir' => $configurationDir,
                 'valid_until' => CarbonImmutable::now()->addDays($validityDays),
                 'is_ca_certificate' => $isCaCertificate,
                 'common_name' => $commonName,
                 'subject_alternative_names' => $subjectAlternativeNames,
             ]);
+
+            if ($configurationDir && $resourceType && $resourceId) {
+                $model = app($resourceType)->find($resourceId);
+
+                $model->fileStorages()
+                    ->where('resource_type', $model->getMorphClass())
+                    ->where('resource_id', $model->id)
+                    ->get()
+                    ->filter(function ($storage) {
+                        return in_array($storage->mount_path, [
+                            '/var/lib/postgresql/certs/server.crt',
+                            '/var/lib/postgresql/certs/server.key',
+                        ]);
+                    })
+                    ->each(function ($storage) {
+                        $storage->delete();
+                    });
+
+                $model->fileStorages()->create([
+                    'fs_path' => $configurationDir.'/ssl/server.crt',
+                    'mount_path' => '/var/lib/postgresql/certs/server.crt',
+                    'content' => $certificateStr,
+                    'is_directory' => false,
+                    'chmod' => '644',
+                    'resource_type' => $resourceType,
+                    'resource_id' => $resourceId,
+                ]);
+
+                $model->fileStorages()->create([
+                    'fs_path' => $configurationDir.'/ssl/server.key',
+                    'mount_path' => '/var/lib/postgresql/certs/server.key',
+                    'content' => $privateKeyStr,
+                    'is_directory' => false,
+                    'chmod' => '600',
+                    'resource_type' => $resourceType,
+                    'resource_id' => $resourceId,
+                ]);
+            }
+
+            return $sslCertificate;
         } catch (\Throwable $e) {
             throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);
         }

app/Livewire/Project/Database/Postgresql/General.php

@@ -144,6 +144,7 @@ public function regenerateSslCertificate()
                 serverId: $existingCert->server_id,
                 caCert: $caCert->ssl_certificate,
                 caKey: $caCert->ssl_private_key,
+                configurationDir: $existingCert->configuration_dir,
             );
 
             $this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');

app/Models/SslCertificate.php

@@ -9,6 +9,7 @@ class SslCertificate extends Model
     protected $fillable = [
         'ssl_certificate',
         'ssl_private_key',
+        'configuration_dir',
         'resource_type',
         'resource_id',
         'server_id',

database/migrations/2025_01_27_153741_create_ssl_certificates_table.php

@@ -12,6 +12,7 @@ public function up()
             $table->id();
             $table->text('ssl_certificate');
             $table->text('ssl_private_key');
+            $table->text('configuration_dir')->nullable();
             $table->string('resource_type')->nullable();
             $table->unsignedBigInteger('resource_id')->nullable();
             $table->unsignedBigInteger('server_id');